> I might be wrong, but isn't a suid root winewrapper much more dangerous
> compared to the realtime-lsm solution? All realtime-lsm does is allowing
> mlock and realtime privileges for a given user or group, while a suid root
> wineserver would also have access to root-only files and device nodes, no?
The idea would be to have it drop privs after acquiring CAP_SYS_NICE, or
whatever it's called.
Alternatively have wineserver run as root (like the real kernel!) and do
access checks on the client.